brk(2) is actually not a very fast system call when you ask for storage. This is mainly because of the need by the kernel to zero the pages before handing them over, so therefore this implementation does not release heap pages until there is a large chunk to release back to the kernel. Chances are pretty good that we will need it again pretty soon anyway. Since these pages are not accessed at all, they will soon be paged out and don't affect anything but swap-space usage.
The page directory is actually kept in a mmap(2)'ed piece of anonymous memory. This avoids some rather silly cases that would otherwise have to be handled when the page directory has to be extended.
One particularly nice feature is that all pointers passed to free(3) and realloc(3) can be checked conclusively for validity: First the pointer is masked to find the page. The page directory is then examined, it must contain either MALLOC_FIRST, in which case the pointer must point exactly at the page, or it can contain a struct pginfo*, in which case the pointer must point to one of the chunks described by that structure. Warnings will be printed on stderr and nothing will be done with the pointer if it is found to be invalid.
An environment variable MALLOC_OPTIONS allows the user some control over the behaviour of malloc. Some of the more interesting options are: